Anomali correlates millions of indicators of compromise against real-time network activity logs and forensic data to detect and identify adversaries early in the kill chain. This product combines automated intelligence collection, curation, and enrichment to make threat intelligence readily available to security teams. It even gives them all the details they need to detect all threats within an environment, including patient zeros buried within years of log data. Finally, it prioritizes remediations for compromised assets based on a machine learning-based risk and criticality score, empowering teams to address threats without adding to their workloads. The full platform encompasses ThreatStream, Match, and Lens to operationalize threat intelligence and unite the tools necessary to speed threat detection and provide proactive defense measures.
Match complements ThreatStream and ingests log data from SIEM or logging technologies to automate threat detection, investigation and response with historical comparisons of log data. The comparisons highlight current and historical hosts that have been impacted within the environment. The Match dashboard displays a helpful overview of top impacts according to weighted asset-driven risk scores. Analysts may drill into such scores for additional information regarding threat impact. Security pros can use Match Explorer for proactive responses, providing analysts with the ability to search for information on specific domains and IPs to include Whois lookups and VirusTotal results. Security teams may even use Explorer to compare domain intelligence with log information to locate the patient zeros of known threats using historical data.
ThreatStream automates threat intelligence collection, curation, and distribution, driving the value and actionability of the data. There are many ways to upload data, including Twitter feeds, Anomali feeds, and ThreatStream Community Trusted Circles. The dashboard provides an insightful overview of all the ingested information. Robust data enrichments such as risk ratings and rating confidence scores are found throughout ThreatStream, providing analysts with everything they need for effective threat mitigation.
Lens serves as the glue of the platform, connecting Match and ThreatStream and therefore uniting the discovery, definition, and ingestion of unstructured intelligence. Lens is a natural language, processing-based browser plugin that focuses on actual phrasings within a page to locate possible pieces of intelligence instead of exact matches. With Lens, analysts may scan any web page for artifacts and pieces of intelligence, extract this information, compare it to ThreatStream’s data repository and Match’s historical data, and then differentiate correlations from other intelligence. Hovering over the highlighted information on a page reveals a detailed intelligence breakdown, including a flame icon to emphasize trending topics. Analysts may create a threat intelligence import for all intelligence information not already in the platform.
Overall, security pros will find Anomali a mature, at-scale threat intelligence product. The automation throughout the platform makes this product easy to use. Lens pulls together Match and ThreatStream to maximize efficiency and intuitive use. Match is a particularly valuable component of Anomali because it offers a unique, historical view of threat intelligence without taxing the system or the analyst. With Anomali, administrators and security teams will stop threats more effectively, improve productivity, and reduce the risk of security breaches.
Pricing starts at $50,000 and includes 24/5 phone, email, and website support for the duration of subscription. Users can get additional support for a fee. Organizations also have access to Anomali University, an effective knowledgebase full of helpful support documentation and a FAQ list.
Written by Katelyn Dunn
Tested by Tom Weil